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Abstract 


The  Kahn  Principle  states  that  each  node  in  an  asynchronous  deterministic 
network  computes  a  continuous  function  from  input  histories  to  output  his¬ 
tories,  and  the  behavior  of  the  network  can  be  characterized  as  a  least  fixed 
point.  Fairness  plays  a  vital  but  implicit  role:  the  Kahn  Principle  is  only 
sound  when  network  execution  is  assumed  to  be  (weakly)  fair.  Kahn’s  model 
does  not  extend  easily  to  non-deterministic  networks,  since  the  obvious  gen¬ 
eralization  to  continuous  relations  on  histories  is  not  compositional.  Previous 
attempts  to  model  non-deterministic  networks  have  sought  to  remain  faith¬ 
ful  to  Kahn’s  spirit  by  retaining  some  form  of  continuity  assumption;  these 
approaches  typically  apply  only  to  a  limited  class  of  network  and  do  not 
deal  adequately  with  fairness.  We  argue  that  for  non-deterministic  networks 
the  assumption  of  continuity  is  not  operationally  justifiable,  whereas  fairness 
is  still  vital.  We  provide  a  compositional  model  for  fair  non-deterministic 
networks,  based  on  trace  sets  which  can  be  regarded  as  history  relations 
“extended  in  time”  to  allow  for  the  possibility  of  interference  during  exe¬ 
cution.  For  a  deterministic  network  one  can  extract  the  Kahn-style  history 
function  from  the  network’s  trace  set,  showing  that  our  model  is  a  natural 
generalization  of  Kahn’s. 


1  Introduction 

Kahn  networks  [Kah77,  KM77]  provide  an  abstract  model  of  the  interactive 
behavior  of  systems  of  parallel  asynchronous  deterministic  processes.  A  net¬ 
work  can  be  viewed  as  a  graph  whose  nodes  represent  computing  agents  and 
whose  arcs  represent  communication  channels.  Each  node  performs  some 
deterministic  sequential  computation,  consuming  input  and  producing  out¬ 
put;  channels  are  interpreted  as  unbounded  bufFers.  Nodes  are  executed  in 
parallel,  subject  to  the  obvious  constraints  that  a  node  attempting  to  input 
from  an  empty  channel  must  wait  until  the  channel  receives  some  input.  The 
assumption  of  determinism  has  an  obvious  advantage,  since  it  permits  the 
use  of  an  extremely  simple  and  intuitive  semantic  model  that  abstracts  away 
from  operational  details  concerning  execution  order. 

Kahn  gave  an  elegant  mathematical  model  of  network  behavior  based  on 
a  simple  semantic  domain  of  streams  or  histories ,  which  represent  the  actual 
or  potential  traffic  along  a  communication  channel.  When  V  is  the  set  of 
data  values  appropriate  for  transmission  along  a  channel,  the  corresponding 
domain  of  histories  is  the  set  V°°  =  V*  U  Vw  of  finite  and  infinite  sequences, 
ordered  by  prefix.  Operational  intuition  then  suggests  that  each  node  com¬ 
putes  a  continuous  function  from  the  histories  of  its  input  channels  to  the 
histories  of  its  output  channels.  Kahn’s  rationale  for  assuming  continuity  is 
based  on  the  following  intuitive  remarks  about  the  input-output  behavior  of 
a  node: 

•  Each  output  is  “caused”  by  the  consumption  of  a  finite  amount  of  input. 

•  Availability  of  more  input  can  only  provoke  more  output. 

•  An  infinite  output  “occurs”  only  as  the  limit  of  its  finite  prefixes. 

Of  course  an  infinite  history  should  be  regarded  as  “potential”  rather  than 
having  actually  occurred,  since  at  any  stage  in  execution  only  a  finite  amount 
of  data  can  have  been  communicated  so  far.  For  example,  a  “buffer”  process 
carrying  data  from  the  set  V,  with  a  single  input  channel  and  a  single  output 
channel,  computes  the  identity  function  from  V°°  to  V°°.  If  supplied  with 
a  longer  and  longer  sequence  of  input  the  buffer  produces  a  correspondingly 
longer  and  longer  sequence  of  output;  the  potential  availability  of  infinite 
input  is  transformed  into  the  potential  for  infinite  output. 
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Taken  collectively,  the  nodes  of  a  network  compute  a  tuple  of  mutually  re¬ 
cursive  continuous  functions,  with  recursion  reflecting  feedback  cycles  in  the 
network’s  communication  graph.  The  Kahn  Principle  states  that  the  opera¬ 
tional  behavior  of  the  network  corresponds  to  the  input-output  function  ob¬ 
tained  as  the  least  fixed  point  of  the  corresponding  functional  [Tar55,  Sco82]. 
This  gives  rise  to  a  powerful  methodology  for  reasoning  about  deterministic 
networks,  using  standard  domain-theoretic  fixed-point  theorems. 

Kahn’s  approach  has  several  advantages.  The  programming  notation  used 
for  nodes  and  networks  is  appealingly  straightforward.  The  graphical  nota¬ 
tion  is  very  intuitive,  and  gives  rise  to  a  simple  network  “calculus”  based  on 
a  few  natural  graph-theoretic  operations:  juxtaposition  (parallel  composition 
of  disjoint  networks),  cascading  (linking  the  outputs  of  one  network  with  the 
inputs  of  another),  and  feedback  (feeding  outputs  from  part  of  a  network 
back  to  serve  as  inputs  for  another  part  of  the  network).  Kahn’s  functional 
semantics  for  these  network  constructs  is  particularly  simple:  juxtaposition 
amounts  to  forming  the  product  of  two  input-output  functions,  cascading 
amounts  to  composition  of  input-output  functions,  and  feedback  is  handled 
by  introducing  a  recursively  defined  history. 

Although  Kahn  did  not  explicitly  describe  an  operational  semantics  for 
networks,  so  that  the  validity  of  his  Principle  was  not  formally  demonstrated, 
he  did  provide  informal  justification  and  a  series  of  compelling  examples.  It 
was  shown  later  that  Kahn’s  semantics  is  sound  with  respect  to  an  operational 
semantics  based  on  “token-pushing”  [Fau82]. 


Notation 

For  illustration  we  adopt  a  notation  similar  to  Kahn’s,  combining  a  CSP-like 
syntax  for  communication  primitives  with  an  Algol-like  syntax  for  processes, 
subject  to  a  few  syntactic  constraints  enforcing  determinism1.  In  contrast 
to  CSP  [Hoa78],  communication  is  taken  to  be  asynchronous :  an  output  can 
occur  “autonomously”,  but  an  attempt  to  input  from  an  empty  channel  will 
block  until  data  becomes  available.  As  in  Kahn’s  presentation,  we  use  the 
keyword  process  rather  than  procedure  (as  in  Algol),  and  each  kind  of  node 
is  specified  as  a  process  definition  parameterized  over  the  node’s  input  and 

xNo  process  is  allowed  to  attempt  input  simultaneously  on  two  channels;  no  pair  of 
nodes  in  a  network  is  permitted  to  share  an  input  channel  or  an  output  channel. 
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output  channel  names.  Consequently,  for  the  purposes  of  this  paper  we  need 
only  consider  (the  analogues  of)  first-order  procedures.  We  also  use  local 
variables  where  necessary  to  represent  internal  data  maintained  by  a  node. 
For  example  the  syntax  local  h  in  P  describes  a  process  P  equipped  with  a 
local  variable  h;  the  usual  scoping  conventions  apply,  so  that  for  instance  in 

(local  h  in  P)\\Q 

the  process  Q  does  not  have  access  to  the  local  variable. 

Our  notation  is  (usually  implicitly)  typed,  with  chan[r]  representing  the 
type  of  channels  carrying  messages  of  datatype  r,  and  var[r]  representing 
the  type  of  variables  of  datatype  r.  Datatypes  include  int  (integers),  bool 
(truth  values)  and  unit  (the  unit  type,  with  sole  member*).  We  let  proc  be 
the  type  of  processes”.  Thus,  for  instance,  a  process  definition  with  a  single 
integer  input  channel  and  a  single  integer  output  channel  would  be  given  the 
procedure  type  chan[int]  x  chan[int]  ->•  proc. 

An  example 

To  demonstrate  Kahn’s  methodology,  consider  a  family  of  networks  built 
from  register  ,  duplicator  ,  and  “ adder”  nodes  defined  as  follows: 

process  reg(i,o )  = 

local  x  in 

(o!0;  while  true  do  ( i?x ;  oh)); 
process  dup(h,o1,o2)  = 

local  x  in 

while  true  do  {hlx\  oilx;  o2lx); 
process  add(ii,  i2,  o)  = 

local  x,  y  in 

while  true  do  falx;  *a?y;  o\{x  +  y))- 

These  nodes  may  be  instantiated  and  linked  to  form  a  “sum”  network,  by 
joining  the  output  of  an  add  node  to  the  input  of  a  dup  node,  joining  the 
second  output  of  the  dup  node  to  the  input  of  a  reg  node,  and  joining  the 
output  of  the  reg  node  to  the  second  input  of  the  add  node,  as  in  Figure  1.  The 
joined  channels  then  become  “internal” ,  so  that  the  overall  network  produced 
in  this  manner  has  a  single  input  channel  and  a  single  output  channel;  this 
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Figure  1:  The  sum  network 

is  indicated  in  the  Figure  by  the  use  of  dotted  lines  for  internal  channels. 
Using  the  programming  notation  the  above  network  can  be  represented  as: 

process  sum(in,  out)  = 
local  in' ,  on,  out!  in 

add(in,  in' ,  on)  ||  dup(on,  out,  out)  ||  reg(out,in') 

Note  the  explicit  localization  of  “internal”  channels,  and  the  use  of  parallel 
composition.  The  type  of  sum  is  chan[int]  x  chan[int]  ->  proc. 

Kahn’s  graphical  notation  abstracts  away  from  certain  syntactic  details 
that  become  apparent  when  using  the  process  language.  For  example,  the 
above  network  can  also  be  constructed  in  stages,  corresponding  to  the  fol¬ 
lowing  three  alternative  process  definitions: 

process  sumi  = 

local  out,  in'  in 

( reg  ||  local  on  in  ( add  ||  dup)); 
process  sum2  — 

local  on,  out  in 

( dup  ||  local  in'  in  (reg  ||  add)); 
process  sums 

lo cal  in',  on  in 

( add  ||  local  out  in  (dup  ||  reg)); 
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surrii 


sum  2 


sum3 


Figure  2:  The  networks  sumi ,  surn2,  and  sum3. 


These  alternative  formulations  represent  what  happens  when  the  order  of 
composition  is  chosen  in  the  three  obvious  ways.  For  example  in  sum\  we 
first  “cascade”  add  onto  dup,  identifying  the  output  channel  of  add  with  the 
input  channel  of  dup;  then  cascade  the  second  output  of  dup  onto  reg;  then 
feed  the  output  of  the  reg  node  back  in  as  the  second  input  to  add.  These 
three  alternatiyes  are  displayed  in  Figure  2,  using  dashed  lines  to  indicate  sub¬ 
network  structure.  Obviously  these  four  networks  ought  to  be  behaviorally 
equivalent,  and  any  reasonable  semantic  model  should  make  this  clear. 

Following  Kahn’s  approach,  the  functional  behavior  of  the  nodes  is  de¬ 
scribed  as  follows,  using  the  standard  list-manipulation  primitives.  For  each 
node  we  specify  a  continuous  function  from  input  histories  to  output  histo¬ 
ries. 

The  equation  defining  the  behavior  of  the  add  node  is: 

Fadd{in,  in')  =  if  in  =  e  V  in'  =  e  then  e  else 

(hd(in)  +  hd(in'  j) ::  Fadd(tl(in),  tl(in')) 

Here  in  and  in'  range  over  and  ::  is  the  usual  infix  “cons”  operator.  This 
equation  thus  reflects  the  intuition  that  an  add  node  waits  for  its  two  input 
channels  to  produce  an  integer,  whereupon  it  consumes  them,  outputs  their 
sum,  and  recurses.  Actually  this  function  definition  is  itself  recursive,  but  it 
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is  easy  to  see  that  the  least  fixed  point  of  the  corresponding  functional  is  the 
intended  function  Fadd,  representing  the  correct  operational  behavior. 

The  equations  for  dup  and  reg  nodes  are  simpler:  dup  merely  copies  its 
input  onto  both  of  its  output  channels,  so  we  will  use  the  same  equation  for 
both  output  channels;  reg  outputs  an  initial  zero  and  thereafter  copies  input 
to  output.  Letting  on  and  out'  range  over  the  domain  of  integer  histories, 
we  therefore  have: 

FdUp(on)  =  on 
Freg(out ')  =  0 ::  out! 

Next  we  examine  the  network  for  sum,  taking  into  account  the  channel 
linkages  between  nodes,  leading  to  the  following  “network  equations”: 

on  =  Fadd(in,in') 
out  =  Fdup(on ) 
out  =  Fdup(on) 
in'  —  Freg  ( out ) 

By  substitution  and  algebraic  manipulation  we  can  then  extract  the  following 
recursive  formulation  for  out  as  a  function  of  in: 

out  =  if  in  =  t  then  e  else  hd(in) ::  Fadd(tl(in ),  out ) 

Kahn’s  semantics  thus  predicts  that  for  a  particular  input  history  in,  the 
output  produced  on  channel  out  is  the  least  fixed  point  of  the  continuous 
functional 

G(in)  =  Xout.  if  in  =  e  then  e  else  hd(in) ::  Fadd(tl(in),  out ) 

It  can  then  be  shown,  by  analyzing  the  least  fixed  point  of  this  function  for 
fixed  values  of  in,  that  when  in  is  a  finite  sequence  [iq, . . .  vn]  the  output  is 

the  sequence  [iq,  (iq  +  u2)5  •  •  • ,  (iq  + - 1-  vn)\  of  “prefix  sums”,  and  when  in  is 

infinite  the  output  is  the  corresponding  infinite  sequence  of  prefix  sums2.  In 
particular,  when  in  is  empty  so  is  out.  Note  that  the  causality  relationship 

2The  proof  for  finite  input  is  by  induction  on  the  length  of  in,  using  the  fact  that  the 
least  fixed  point  of  G(in)  is  the  limit  of  the  sequence  built  by  iterating  the  application  of 
G(in)  to  the  empty  history.  The  case  when  in  is  infinite  then  follows  by  continuity. 
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between  inputs  and  outputs  is  accurately  represented  by  this  simple  func¬ 
tional  description,  in  that  the  length  of  the  output  is  always  equal  to  the 
length  of  the  input  -  each  input  triggers  the  availability  of  the  next  output3. 

The  three  alternative  decompositions  of  the  sum  network  each  give  rise  to 
slightly  different  sets  of  functional  equations,  but  in  each  case  the  equation 
defining  out  has  the  same  least  fixed  point.  This  property  relies  on  some 
elementary  fixed  point  theory,  in  particular  using  Bekic’s  Theorem  on  the 
replacement  of  a  simultaneous  mutually  recursive  definition  by  a  nested  se¬ 
quence  of  single  recursions,  so  that  one  can  “solve”  the  network  equations  in 
any  order.  This  property,  although  seemingly  obvious  at  an  intuitive  level, 
is  actually  important  in  justifying  Kahn’s  use  of  graphical  notation:  even 
though  the  notation  is  syntactically  ambiguous,  the  same  graph  represent¬ 
ing  many  alternative  “concrete”  networks  differing  in  the  order  in  which  the 
nodes  are  combined,  the  notation  is  semantically  unambiguous. 

As  the  above  example  shows,  Kahn’s  semantics  can  be  used  to  prove  non¬ 
trivial  properties  of  networks.  In  particular,  although  the  semantics  describes 
only  complete  (potential)  histories,  it  still  supports  analysis  of  many  safety 
and  liveness  properties.  For  example,  it  follows  from  the  above  analysis  that 
the  sum  network  satisfies  the  safety  property  that  the  output  forms  a  non¬ 
decreasing  sequence  of  integers,  and  the  liveness  property  that  if  the  input  is 
infinite  then  so  is  the  output. 

Operational  considerations 

Kahn’s  Principle  can  be  interpreted  as  stating  that  the  least  fixed  point 
characterization  of  network  behavior  is  operationally  justified ,  in  that  the 
input-output  behavior  predicted  by  the  fixed-point  construction  is  an  accu¬ 
rate  abstraction  from  operational  behavior.  Of  course  the  reason  why  such  an 
abstraction  is  desirable  is  obvious:  to  avoid  having  to  reason  about  details  of 
scheduling  and  timing  that  are  beyond  the  programmer’s  control  and  would 
anyway  complicate  matters  excessively.  Although  Kahn  did  not  formally 
specify  an  operational  semantics  for  networks  it  seems  to  have  been  gener- 

3Actually  the  use  of  the  word  “always”  is  slightly  misleading,  since  the  functional 
description  only  characterizes  the  “final”  output  history  that  will  be  produced  eventually 
when  the  network  is  supplied  with  a  given  input  sequence.  At  various  stages  during 
execution  the  length  of  the  output  produced  so  far  might  lag  behind  the  number  of  input 
items  consumed  so  far,  but  the  input-output  history  function  is  insensitive  to  such  details. 
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ally  accepted  as  almost  obvious  that  Kahn’s  intuitions  were  sound.  Indeed 
it  has  been  shown  that  Kahn’s  model  is  consistent  with  a  form  of  “token¬ 
pushing”  operational  semantics  [Fau82] ,  and  for  non-deterministic  networks 
various  models  have  been  suggested  and  connections  have  been  established 
with  operational  semantics  based  on  I/O  automata  [Sta89,  LS89]. 

Kahn  tacitly  assumed  the  existence  of  an  operational  semantics  based  on 
a  weakly  fair  execution  [Par 79],  so  that  every  node  that  has  not  yet  termi¬ 
nated  will  eventually  be  given  a  chance  to  run4.  Any  reasonable  scheduling 
strategy,  such  as  round-robin,  has  this  property;  assuming  fairness  thus  al¬ 
lows  us  to  abstract  away  from  the  details  of  any  particular  scheduler  and 
this  weak  form  of  fairness  is  a  valid  abstraction  from  “realistic”  network 
implementation.  The  soundness  of  Kahn’s  model  relies  on  the  fact  that  the 
input-output  function  of  a  deterministic  network  is  independent  of  scheduling 
details,  provided  fairness  is  assumed.  It  can  be  shown  that  Kahn’s  semantics 
of  deterministic  networks  is  consistent  with  a  standard  operational  semantics 
of  networks,  in  which  parallel  composition  is  interpreted  as  fair  interleaving. 
(See  Appendix  A  for  the  relevant  transition  rules.) 

Without  this  fairness  assumption  the  Kahn  Principle  ceases  to  be  valid, 
since  it  becomes  impossible  to  justify  the  use  of  continuous  functions  to  repre¬ 
sent  the  abstract  behavior  of  networks.  For  example,  consider  the  prefix-sum 
network  discussed  earlier.  If  implemented  unfairly,  by  a  scheduler  which  fix¬ 
ates  on  the  duplicator  node,  no  output  will  ever  get  produced,  contradicting 
the  predicted  functional  behavior.  If  we  abstract  over  all  possible  schedulers, 
including  unfair  ones,  the  best  we  can  say  about  this  network  is  that  it  com¬ 
putes  a  relation  on  histories,  since  more  than  one  output  history  is  possible 
for  a  given  input  history. 


2  Limitations  of  Kahn’s  model 

We  next  identify  three  major  limitations:  Kahn’s  model  is  too  abstract  for 
many  purposes,  lacking  discriminatory  power  in  many  cases  where  there  is 
a  good  operational  reason  to  distinguish  between  processes;  Kahn’s  model 

4Kahn  commented  that  “a  parallel  program  can  be  safely  simulated  on  a  sequential 
machine,  provided  the  scheduling  algorithm  is  fair  enough,  i.e.  it  eventually  attributes 
some  more  computing  time  to  a  process  which  wants  it” .  He  also  remarked  that  if  the 
scheduler  is  unfair  the  program  might  produce  “less  output  than  what  could  be  expected”. 
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applies  only  to  deterministic  systems;  and  the  semantics  lacks  homogeneity. 

Too  abstract 

Kahn’s  semantics  ignores  many  potentially  significant  attributes  of  a  net¬ 
work’s  behavior,  by  focussing  entirely  on  the  relationship  between  complete 
input  histories  and  complete  output  histories.  To  illustrate  this  consider  the 
following  “buffer”  processes: 

process  buff(i,o)  =  local  x  in  while  true  do  (itx]  o\x)‘, 
process  buffs(i,o)  =  local  h  in  (buff(i,h)  ||  buff(h,o )) 

The  one-place  buffer  node  buff  (i,  o )  clearly  operates  by  repeatedly  absorbing 
a  single  input  datum  and  then  outputting  it,  whereas  the  network  buffs(i,o ) 
obtained  by  linking  two  such  nodes  in  a  chain,  connected  by  a  local  channel, 
behaves  like  an  unbounded  finite  buffer  capable  of  absorbing  an  arbitrary 
number  of  inputs  before  outputting.  Yet  both  compute  the  same  input- 
output  function,  the  identity  function  on  V°° .  The  point  here  is  that  Kahn’s 
semantics  is  too  abstract  to  support  reasoning  about  the  stimulus-response 
attributes  of  a  process.  Although  the  one-place  buffer  node  cannot  absorb  a 
second  input  item  before  it  has  emitted  the  first  this  property  is  not  reflected 
in  the  node’s  input-output  function.  By  identifying  these  two  processes  as  se¬ 
mantically  equivalent  the  model  is  incapable  of  distinguishing  between  them 
in  any  context,  despite  their  operationally  distinct  characteristics. 


Determinism 

Kahn’s  model  is  applicable  only  to  deterministic  networks.  To  ensure  deter¬ 
minism  Kahn  imposed  certain  syntactic  constraints,  notably: 

•  at  any  given  time,  each  node  is  either  computing,  or  waiting  for  input 
on  one  of  its  input  channels; 

•  each  node  is  sequential. 

Consequently,  no  node  can  ever  be  waiting  for  data  to  arrive  on  more  than 
one  input  channel.  For  similar  reasons  nodes  are  not  permitted  to  share 
output  channels.  These  constraints  were  enforced  syntactically,  for  instance 
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by  restricting  the  use  of  input  and  output  inside  nodes  and  forbidding  parallel 
composition  inside  a  node. 

As  Kahn  realized,  non-deterministic  networks  arise  naturally  in  practice. 
For  example,  if  we  allow  the  sharing  of  an  output  channel  it  becomes  possible 
to  design  a  non-deterministic  “merge”  network  capable  of  merging  two  input 
channels  into  a  single  output  channel: 

process  merge(left,  right ,  out )  = 

local  x,y  in 

while  true  do  ( leftfx ;  out\x) 

||  while  true  do  ( rightly ;  outly) 

Similarly,  if  we  allow  sharing  of  input  channels  one  can  design  a  “spraying” 
network  that  splits  the  input  from  one  channel  onto  two  output  channels: 

process  spray(in,  left,  right )  = 

local  x  in 

while  true  do  (intx-,  leftlx) 

||  while  true  do  (irilx;  rightlx) 

And  if  we  allow  a  node  to  use  a  channel  for  both  input  and  output  it  becomes 
possible  to  specify  a  bi-directional  pipeline  network5: 

process  pipe(a,  b )  = 

local  x,  y  in 

while  true  do  (a?a:||&?y;  a\y\\b\x) 

Moreover,  the  prefix-sum  network  discussed  earlier  can  easily  be  recast  as  a 
non-deterministic  network,  replacing  the  addition  and  duplication  nodes  by 
the  following  non-deterministic  variants: 

process  dup'(h,  01,02)  = 

local  x  in 

while  true  do  (h^x;  (oi \x  ||  o2b)); 
process  add'(ii,i2,o)  = 

local  x,  y  in 

while  true  do  ({ijx  ||  t2?y);  o\(x  +  y)); 

5  Of  course  in  this  example  it  no  longer  makes  sense  to  characterize  each  stream  as 
being  either  an  input  stream  or  an  output  stream. 
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We  then  obtain  the  non-deterministic  network 

process  sum' (in,  out )  = 
local  in',  on,  out!  in 

add' (in,  in' ,  on)  ||  dup' (on,  out,  out!)  ||  reg(out! ,  in') 

This  network  violates  Kahn’s  syntactic  restrictions,  since  the  add'  node  waits 
on  two  input  channels  simultaneously,  and  both  add'  and  dup  nodes  involve 
parallel  composition.  Yet  it  is  intuitively  obvious  that  the  network  still  be¬ 
haves  deterministically,  computing  the  same  input-output  function  as  before. 
Of  course  this  cannot  be  shown  within  Kahn’s  functional  framework.  This 
provides  a  simple  example  in  which  a  network  built  from  non-deterministic 
components  may  still  exhibit  deterministic  behavior. 

It  would  be  useful  to  extend  Kahn’s  ideas  to  incorporate  non-deterministic 
systems,  but  clearly  continuous  input-output  functions  no  longer  suffice.  The 
actual  behavior  of  a  non-deterministic  network  may  depend  on  scheduling 
details,  in  that  the  output  produced  from  a  given  input  stream  may  depend 
on  the  order  in  which  individual  nodes  get  executed,  and  such  a  network 
cannot  properly  be  viewed  as  computing  a  function  from  input  streams  to 
output  streams.  Given  the  desire  to  abstract  away  from  scheduling  details, 
it  makes  sense  instead  to  view  each  of  these  nodes  as  computing  a  relation 
on  histories.  For  example,  assuming  a  fair  scheduler,  the  merge  node  should 
be  regarded  as  computing  the  fairmerge  relation  [Par79],  i.e.  the  set  of  all 
triples  (a,/3, 7)  over  V°°  such  that  7  is  an  interleaving  of  all  of  a  with  all  of 
/3.  Unfortunately  the  obvious  relational  generalization  of  Kahn’s  model  lacks 
compositionality,  as  we  will  discuss  later  [BA81].  We  mention  this  here  simply 
to  point  out  that  Kahn’s  limitation  to  deterministic  systems  is  inherent  in 
his  approach  and  cannot  easily  be  overcome  with  a  minor  modification. 

Lack  of  homogeneity 

Kahn’s  semantics  treats  nodes  and  networks  in  disparate  ways  [Kah77].  Each 
node  determines  a  flowchart,  from  which  its  input-output  function  is  ex¬ 
tracted,  and  the  input-output  behavior  of  a  network  is  then  obtained  by 
forming  a  mutually  recursive  family  of  functional  equations  and  taking  the 
least  fixed  point.  This  is  a  two-stage  construction:  first  consider  the  indi¬ 
vidual  nodes  (in  an  essentially  operational  manner),  then  analyze  the  entire 
network  (in  a  denotational  manner).  The  separation  into  phases  follows  the 
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same  pattern  as  the  syntactic  constraints  built  into  Kahn’s  framework:  nodes 
execute  sequential  programs  for  which  flowcharts  can  be  used,  whereas  net¬ 
works  involve  parallelism  and  do  not  correspond  to  flowcharts. 

Perhaps  it  is  less  clear  why  one  cannot  simply  treat  nodes  and  networks 
on  a  more  equable  basis,  by  giving  a  denotational  (compositional)  description 
of  the  input-output  semantics  of  the  sequential  programming  language  used 
“inside”  nodes.  It  turns  out  that  this  is  impossible,  because  the  input-output 
semantics  of  a  sequential  composition  N% ;  N2  cannot  be  deduced  from  the 
input-output  semantics  of  Nx  and  N2.  A  simple  example  shows  this:  the 
input-output  functions  of  i?x  and  skip  coincide  (both  equalling  A p  e 
but  the  input-output  functions  of  i?x;  o!0  and  skip;  o!0  differ  (only  the  latter 
maps  the  empty  input  sequence  to  [0]). 

This  lack  of  homogeneity  is  aesthetically  unattractive,  since  it  would  be 
more  natural  to  treat  nodes  and  networks  on  exactly  the  same  semantic 
footing,  and  this  is  required  in  order  to  perform  hierarchical  network  analysis. 
Indeed,  for  this  very  reason  Kahn  suggested  that  it  is  sometimes  desirable  to 
treat  a  subnetwork  as  a  single  node.  However,  taken  literally  and  exploited 
in  full  generality  this  is  inconsistent  with  the  constraints  imposed  to  ensure 
determinism:  a  subnetwork  built  from  deterministic  nodes  may  fail  to  satisfy 
the  determinism  constraints.  For  example,  consider  the  network  obtained  by 
juxtaposing  two  disjoint  one-place  buffers: 

o{)  ||  buff(i2,o2 ), 

where  we  assume  for  simplicity  that  each  channel  has  the  same  type  chan[r]. 
Each  buffer  node  by  itself  is  deterministic,  and  the  network  built  this  way 
is  perfectly  well-behaved,  computing  the  identity  function  on  1^.°°  x  Vf°. 
However,  this  network  obviously  waits  for  input  on  two  channels,  because  of 
the  use  of  parallel  composition.  When  viewed  as  a  single  node  it  therefore 
violates  the  original  intention  that  nodes  be  sequential  and  that  nodes  wait 
on  at  most  one  channel  at  a  time. 

Rather  than  dismiss  these  issues  as  minor  quibbles  we  feel  that  they 
indicate  that  lack  of  homogeneity  is  a  serious  methodological  problem. 
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Now  consider  the  following  context: 

T[— ]  =  local  o,  in' ,  out  in 

spread(o ,  out,  out)  ||  plusl(out,  in')  ||  [— ] 

where  the  nodes  spread  and  plusl  are  given  by 

process  spread(o,  out,  out)  =  local  z  in 

while  true  do  ( olz ;  outlz ;  out \z) 

process  plusl  (out,  in')  =  local  z  in 

while  true  do  (outlz-,  in'\(z  +  1)) 

Plugging  in  5[Pi]  or  S[P2]  into  this  context  produces  networks  T[»S'[Pi]]  and 
T[5'[P2]],  also  shown  in  Figure  3.  These  networks  have  different  input-output 
behavior,  i.e. 

sirfT^Px]]]  ^  strlT(S(P2})l 

For  instance,  suppose  the  network  T[5[Pi]]  is  supplied  with  a  single  input 
value  5  on  channel  in.  This  value  will  pass  through  the  first  double  node,  then 
through  merge,  through  Pi  and  through  spread  to  become  the  first  output 
on  channel  out.  The  spread  node  will  also  send  a  5  to  plusl,  causing  a  6  to 
appear  on  in' ,  and  the  second  double  node  can  thus  pass  a  6  on  to  the  merge 
node.  The  merge  node  now  has  a  choice  of  consuming  either  the  second  5  or 
this  6.  Consequently  the  network  can  output  a  5  followed  either  by  a  5  or 
a  6.  However,  if  T[S'[P2]]  is  supplied  with  a  single  input  value  5  its  P2  node 
cannot  produce  output  until  it  has  received  a  second  input;  thus  eventually 
(by  fairness)  the  merge  node  must  consume  both  of  the  5’s  produced  by  the 
first  double  node,  and  the  only  possible  output  of  the  network  begins  with  5 
followed  by  5. 

Thus  we  have  two  networks  with  the  same  history  relation  but  which  in¬ 
duce  different  history  relations  when  used  as  components  in  a  larger  network. 
The  conclusion  is  that  the  input-output  relation  of  a  non-deterministic  net¬ 
work  cannot  be  computed  compositionally  from  the  input-output  relations  of 
its  components.  Note  also  that  this  failure  of  compositionality  cannot  be  side¬ 
stepped  by  banishing  or  limiting  the  use  of  the  relevant  program  construct: 
the  problem  occurs  with  the  fundamental  network  primitives  (juxtaposition, 
feedback  and  cascading). 
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3  Generalizing  Kahn 

As  we  indicated  above,  a  non-deterministic  network  can  be  regarded  as  com¬ 
puting  an  input-output  relation.  However,  it  is  well  known  that  Kahn’s  Prin¬ 
ciple  does  not  immediately  generalize  to  the  relational  setting  in  the  obvi¬ 
ous  way,  because  the  input-output  relation  of  a  non-deterministic  network 
cannot  be  defined  compositionally.  We  summarize  briefly  the  classic  Brock- 
Ackerman  anomaly  that  demonstrates  the  problem  [BA81]. 

The  Brock- Ackerman  anomaly 

Let  us  write  sfafiV]  for  the  history  relation  computed  by  network  N.  Consider 
the  following  pair  of  nodes,  with  input  channel  i  and  output  channel  o: 

process  Pi(i,o)  =  local  x,y  in  (i?x;  o!x;  i?y;  o!y) 
process  P2(i,o)  =  local  x,  y  in  (i1x\  i?y;  olx;  o\y) 

Clearly  these  nodes  compute  different  relations,  because  Pi  needs  only  a 
single  input  datum  to  trigger  its  first  output  but  P2  needs  two  inputs.  Thus 

sir|PiJ  ^  str\P2\. 

Now  consider  the  following  context  £[— ],  with  a  “hole”  into  which  we  may 
plug  Pi  or  P2: 

5[— ]  =  local  on,  on',  i  in 

double(in,  on)  ||  double(in',  on1)  ||  merge(on,  on1,  i)  ||  [— ] 

where  merge  is  the  merge  process  defined  earlier  and  double  is  given  by: 

process  double(in,  on)  =  local  z  in  (in?z;  onlz;  on!z) 

The  networks  formed  by  substituting  Pi  and  P2  into  this  context  are  shown 
in  Figure  3.  Neither  of  the  networks  .5 [Pi]  or  produces  any  output 

unless  it  receives  input.  If  one  or  more  input  items  are  available  on  either 
input  channel  the  double  nodes  ensure  that  the  internal  Pj.  node  receives  at 
least  two  inputs,  thus  masking  the  difference  between  Pi  and  P2,  so  that 

strlSiP,]}  =  sfr[S[P2]]. 
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Figure  3:  The  networks  5[Pfc]  and  T'[S,[Pfc]]  (for  k  =  1,2) 

This  anomaly  led  to  the  search  for  an  appropriate  compositional  seman¬ 
tics  generalizing  Kahn’s  model  to  incorporate  non-determinism.  A  variety 
of  models  has  been  proposed,  including  hiatons  [Fau82],  scenarios  [BA81], 
I/O  automata  [Sta89,  RT89],  and  sets  of  continuous  functions  [Abr90].  Vari¬ 
ous  trace-theoretic  models  have  also  been  proposed,  including  [KP84,  Kok87, 
Jon89,  Rus90].  Although  each  of  these  models  attempted  to  stay  faithful  to 
Kahn’s  spirit,  typically  retaining  some  form  of  continuity  assumption,  none  is 
as  simple  and  elegant  as  Kahn’s  original  model.  Moreover  these  approaches 
have  achieved  only  limited  success,  usually  being  incapable  of  properly  mod¬ 
elling  fairness.  Rather  than  reviewing  the  details  of  these  previous  models 
we  will  re-examine  the  operational  rationale  behind  Kahn’s  original  model 
and  show  that  in  the  non-deterministic  setting  the  rationale  ceases  to  be 
justifiable. 

Is  continuity  a  fair  assumption? 

We  argued  above,  echoing  Kahn,  that  it  is  operationally  reasonable  to  model 
the  behavior  of  a  deterministic  node  as  a  continuous  function  from  input 
streams  to  output  streams.  A  key  point  in  rationalizing  the  decision  to  as¬ 
sume  continuity  was  that  a  deterministic  process  capable  of  generating  an 
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infinite  output  sequence  must  in  fact  generate  successively  longer  finite  pre¬ 
fixes  of  its  output  from  successively  longer  prefixes  of  its  input.  If  we  imagine 
running  the  process  repeatedly  from  the  start,  each  time  supplying  a  longer 
portion  of  the  input  sequence,  we  would  expect  to  observe  a  correspondingly 
longer  portion  of  the  output,  since  the  node  is  deterministic  and  therefore 
executing  the  same  code  in  each  run.  In  the  limit,  if  an  infinite  supply  of 
input  is  available  the  node  would  eventually  produce  the  entire  infinite  out¬ 
put.  However,  if  the  process  is  non-deterministic  this  argument  ceases  to  be 
valid,  since  there  is  no  longer  any  guarantee  that  the  process  behaves  the 
same  way  in  different  runs  when  supplied  with  the  same  (or  longer)  input 
sequence.  Thus  the  rationale  for  assuming  continuity  is  no  longer  justified  in 
the  non-deterministic  setting. 

Another  example  helps  to  make  this  point.  Consider  the  following  three 
kinds  of  buffer-like  node,  assuming  that  each  channel  has  type  chan  [int] : 

process  bujfii,  o )  =  local  x  in 

while  true  do  (i?x;  o\x) 

process  buff'(i,  6)  =  local  x  in 

while  true  do  (skip  or  (i7x;  o\x)) 

process  buff*(i,o)  =  local  x,n  in 

n:=?;for  i:= 1  to  n  do  (i^x‘,olx) 

Here  n:=?  is  assumed  to  be  a  random  assignment  setting  n  to  an  arbitrary 
non-negative  integer.  Intuitively  buff-  as  discussed  earlier  -  is  a  conventional 
one-place  buffer,  and  is  obviously  deterministic;  buff'  is  a  non-deterministic 
node  that  keeps  making  a  choice  either  to  behave  like  a  buffer  for  one  step 
or  to  “skip”;  and  buff*  chooses  an  arbitrary  finite  bound  on  the  number 
of  times  it  will  behave  like  a  buffer,  after  which  it  stops  inputting.  Non¬ 
determinism  in  these  latter  two  cases  means  that  the  node  has  more  than 
one  possible  execution,  and  for  a  given  input  history  the  output  depends  on 
which  execution  occurs.  For  buff'  it  is  clear  that  the  output  will  always  be 
a  prefix  of  the  input,  and  that  for  each  input  sequence  there  is  an  execution 
that  faithfully  outputs  all  of  the  input,  even  if  the  input  is  infinite.  For  buff* 
again  the  output  is  a  prefix  of  the  available  input,  but  only  a  finite  sequence 
of  output  will  be  produced.  The  stream  relations  computed  by  these  nodes 
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are,  correspondingly: 


str\buff(i,o)\  = 
sti\buff'{i,  o)j  = 
str\buff*(i,o)  J  = 


{(p,p)\peV~} 

{(/>,  (T)\a  <P  k  p,ae  V00} 

{{p,  a)  |  a  <  p  k  p  e  V00  &  <x  €  V*}. 


We  write  a  <  p  to  indicate  that  a  is  a  prefix  of  p. 

The  important  point  to  note  here  is  that  in  the  third  case  the  relation 
is  not  continuous,  since  the  presence  of  the  input-output  pair  (0A,  0A)  for 
all  k  >  0  does  not  imply  the  presence  of  (0^,0^).  Indeed,  there  is  no  op¬ 
erational  justification  for  forcing  the  input-output  relation  of  buff*{i,o)  to 
contain  (0^,0^),  because  each  of  the  “approximations”  (0A, 0fc)  represents  a 
behavior  observed  along  a  different  computation,  and  no  single  computation 
exists  along  which,  if  infinitely  many  0’s  were  available  as  input,  infinitely 
many  outputs  would  also  occur.  Contrast  this  with  buff'{i,o),  which  does 
have  a  computation  involving  infinite  input  and  output,  since  it  is  possible 
for  the  node  to  keep  choosing  the  “active”  branch.  If  we  chose  to  enforce 
continuity,  thereby  equating  buff*  with  buff',  we  would  be  forced  to  ignore 
the  fact  that  these  two  nodes  are  not  operationally  equivalent. 


4  A  model  for  fair  networks 

We  have  already  mentioned  the  fundamental  role  played  by  fairness  in  the 
operational  underpinnings  of  Kahn’s  semantics.  For  non-deterministic  net¬ 
works  fairness  is,  of  course,  still  fundamental,  again  providing  us  with  a  way 
to  abstract  away  from  irrelevant  scheduling  details.  We  propose  a  model 
of  fair  networks,  in  which  nodes  are  (possibly  non-deterministic)  comput¬ 
ing  agents,  communicating  asynchronously  on  buffered  channels,  executing 
fairly.  We  allow  full  use  of  sequential  and  parallel  composition,  both  at  the 
node  level  and  at  the  network  level.  We  allow  sharing  of  input-  or  output- 
channels,  and  we  even  allow  channels  to  be  used  in  a  bi-directional  manner. 
We  treat  nodes  and  networks  homogeneously,  so  that  from  now  on  we  will 
only  use  the  neutral  term  “process”. 

Our  model  is  an  adaptation  of  transition  traces  [Bro93]  to  incorporate 
asynchronous  communication,  along  lines  sketched  in  [Bro97].  Each  process 
denotes  a  trace  set,  amounting  intuitively  to  an  “input-output  relation  ex¬ 
tended  in  time”;  we  do  not  impose  any  continuity  constraint.  The  trace 


17 


set  of  an  entire  network  is  obtained  by  fair  parallel  composition  of  the  trace 
sets  of  its  nodes.  We  provide  a  fixed-point  characterization  of  fair  parallel 
composition,  thus  making  good  on  our  claim  that  we  maintain  the  spirit  of 
Kahn’s  Principle.  The  trace  set  of  a  recursively  defined  network  is  also  char¬ 
acterized  as  a  fixed-point.  Our  semantics  is  operationally  justified  in  that  the 
traces  of  a  network  correspond  precisely  to  fair  executions  of  the  network,  as 
prescribed  by  a  standard  operational  semantics  outlined  in  Appendix  A. 

Our  approach  is  compositional:  in  particular,  sequential  composition 
amounts  to  concatenation  of  trace  sets,  and  we  no  longer  need  to  treat  nodes 
and  networks  separately.  Trace  semantics  is  useful  for  safety  and  liveness 
analysis,  as  well  as  general  analysis  of  the  stimulus-response  behavior  of  net¬ 
works.  Fairness  is  often  a  vital  assumption  in  liveness  arguments,  and  our 
model  is  well  suited  for  this  purpose.  Because  our  semantics  is  homogeneous 
•we  support  hierarchical  analysis.  We  can  also  handle  dynamic  networks,  in 
which  the  number  of  active  processes  changes  as  the  network  evolves. 

Moreover,  for  networks  in  which  each  channel  is  used  unambiguously  by 
each  node  either  for  input  or  for  output  we  can  extract  an  input-output  rela¬ 
tion  from  the  network’s  trace  set.  In  the  case  of  a  deterministic  network  this 
coincides  with  the  graph  of  the  input-output  function  predicted  by  Kahn’s 
semantics,  so  that  we  do  indeed  obtain  a  true  generalization  of  Kahn’s  se¬ 
mantics. 

We  provide  here  only  a  sketch  of  the  main  semantic  ideas  and  definitions. 
For  fuller  details  the  reader  should  consult  [Bro93,  Bro96,  Bro97],  Even 
without  detailed  analysis  of  the  semantic  definitions  it  should  be  possible  to 
understand  the  general  concepts  and  see  how  our  semantics  works  out  when 
applied  to  the  examples  under  discussion. 

States 

A  key  feature  in  our  framework  is  the  way  we  model  state.  A  state  of  a 
network  is  a  tuple  w  =  (v,  p)  giving  the  values  of  all  non-local  variables  used 
in  the  network  and  the  current  contents  of  channels.  We  assume  that  each 
variable  and  channel  is  typed,  and  we  let  VT  be  the  set  of  data  values  of 
type  r .  Since  channels  are  modelled  as  unbounded  queues  the  contents  of 
a  channel  of  type  chan[r]  will  belong  to  the  set  V*  of  finite  sequences.  A 
typical  state  set  is  thus  a  cartesian  product  of  form  W  =  (Vj  x  •  •  •  W,)  x 
(Kn+i  •  •  •  x  V* ) •  0ur  semantic  definitions  are  parameterized  in  terms  of  the 
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choice  of  current  state  set.  This  permits  smooth  handling  of  local  variable 
declarations  [Rey81,  01e82].  For  each  type  6  (such  as  proc,  var[r],  and 
chanjr])  and  each  state  set  W  we  define  a  set  of  meanings  of  type  6  “over” 
W. 

Variables  and  channels 

A  variable  of  type  r  can  be  modelled  as  an  acceptor ,  a  function  acc  of  type 
VT  — y  (W  — >  W)  describing  the  effect  of  assignment  to  the  variable,  together 
with  an  expression  value ,  i.e.  a  function  val  of  type  W  — >■  VT  describing  the 
(state-dependent)  current  value  of  the  variable.  This  is  exactly  as  in  the 
Reynolds/Oles  semantics  of  Idealized  Algol  [Rey81,  01e82]. 

Similarly  a  channel  can  be  modelled  as  a  put  operation,  i.e.  a  function 
of  type  VT  -¥  (W  — >  W)  describing  the  effect  of  “sending”  to  the  channel, 
together  with  a  get  operation,  a  function  of  type  W  — »  (VT  x  W)  option  de¬ 
scribing  the  effect  of  “receiving”  from  the  channel.  We  use  the  mathematical 
analog  here  of  the  ML  “option”  type  constructor;  thus  for  any  state  w  at¬ 
tempting  a  get  will  either  produce  some(v,w')  or  none.  In  the  former  case 
v  is  the  “next”  remaining  item  in  the  channel’s  queue,  and  w'  is  the  state 
produced  by  removal  of  that  item.  The  none  case  occurs  when  the  channel 
queue  is  empty. 

For  example,  over  state  set  W  x  V*  the  channel  corresponding  to  the 
second  component  is  represented  by  the  pair  (put,  get)  with  the  functions 

put  :  V^WxV*^WxV* 

get  :  W  x  V*  — >  (V  x  (W  x  V*))option 


given  by 

put(v)(w,  p)  =  ( w,pv ) 

get(w,  e)  =  none 
get(w,vp)  =  some(v,(w,p )) 

for  all  p  e  V*,  w  e  W,  and  v  e  V.  A  “put”  appends  the  new  item  at  the  end 
of  the  current  queue  and  a  “get”  removes  the  first  item  of  the  current  queue. 
Note  that  we  use  the  notation  pv  or  vp  as  appropriate. 
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Processes 

A  trace  of  a  process  is  a  finite  or  infinite  sequence  of  state  changes 

{wq,w'0){wuw[)  ...(wn,w'n) ... 

representing  a  fair  interactive  computation;  each  step  (w{,  w\)  models  a  finite 
sequence  of  atomic  actions  executed  by  the  process,  and  each  “external” 
change  from  w\  to  W{+ 1  represents  a  state  change  caused  by  the  process’s 
“environment”.  With  our  view  of  state  and  channels,  communication  causes 
a  state  change.  We  model  an  attempt  to  input  from  an  empty  channel  as  a 
“busy  wait”,  i.e.  an  infinite  trace  consisting  entirely  of  stuttering  steps. 

A  process  denotes  a  trace  set,  intuitively  a  total  relation  on  states,  ex¬ 
tended  in  time  to  allow  for  the  potential  for  interference.  Such  a  trace  set 
specifies  a  complete  recipe  for  predicting  all  possible  fair  interactive  compu¬ 
tations  of  a  process.  Trace  sets  are  closed  under  stuttering  and  mumbling, 
so  that  for  instance 

a/3  e  t  &  w  e  W  =>-  a(w,  w)f3  e  t  stuttering 

a(w,w')(w',w")/3  €  t  =$■  a{w,w")/3  et  mumbling 

We  write  for  the  closure  of  T,  defined  as  the  smallest  closed  set  of  traces 
containing  T  as  a  subset6. 

Closed  trace  sets  form  a  domain,  ordered  by  reverse  inclusion.  This  or¬ 
dering  can  be  regarded  as  a  measure  of  non-determinism:  the  least  element 
is  the  set  of  all  traces,  corresponding  to  the  most  non-deterministic  process 
of  all. 

Although  traces  themselves  -  as  a  form  of  sequence  -  form  a  domain 
under  the  prefix  ordering,  our  domain  of  closed  trace  sets  is  not  constructed 
as  a  powerdomain  [Smy78]  over  a  domain  of  traces.  The  use  of  powerdomains 
would  cause  difficulties  with  the  incorporation  of  fairness  and  in  any  case  a 
simpler  model  serves  our  purposes. 

Note  also  that  we  do  not  assume  that  the  trace  sets  denoted  by  processes 
are  prefix-closed  or  closed  under  limit ,  in  contrast  to  most  traditional  semantic 
models  of  CSP-like  languages  [Ros98].  This  is  because  we  use  a  trace  to 
represent  an  entire  computation:  incomplete  or  partial  traces  do  not  occur 

6  The  closure  conditions  specified  above  generalize  in  the  obvious  way  to  allow  stuttering 
and  mumbling  at  infinitely  many  positions  in  an  infinite  trace. 
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in  our  trace  sets.  Enforcing  closure  under  limit,  so  that  an  infinite  trace 
is  deemed  to  be  present  if  each  of  its  finite-length  approximants  is  present, 
would  cause  difficulty  with  fairness.  By  working  with  “complete”  traces  we 
are  able  to  avoid  this  problem. 

Environments 

An  environment  over  state  set  W  is  a  finite  mapping  from  identifiers  to 
variables  over  W,  and  channel  identifiers  to  channels  over  W:  each  variable 
and  channel  corresponds  to  a  component  of  the  state.  For  the  most  part  in 
this  presentation  we  will  suppress  details  of  binding  and  scope,  since  the  ideas 
can  be  conveyed  more  simply  by  factoring  out  these  book-keeping  details 
when  we  discuss  specific  examples. 

Semantic  definitions 

We  now  define  the  trace  semantics  of  processes.  For  simplicity  we  assume  that 
expressions  (such  as  x  +  y)  are  evaluated  atomically,  cause  no  side-effects, 
and  always  terminate.  It  would  be  straightforward  to  adapt  the  semantic 
definitions  to  allow  for  fully  general  expression  evaluation,  as  in  [Bro93]. 

Whenever  P  is  a  process,  W  is  a  set  of  states,  and  u  is  an  environment 
mapping  the  free  identifiers  of  P  into  variables  and  channels  over  W,  the 
trace  set 

traces\P\Wu 

is  defined  as  follows,  by  structural  induction  on  P.  In  each  case  it  is  to  be 
understood  that  the  trace  set  being  defined  also  includes  all  traces  obtained 
by  stuttering  and  mumbling  from  traces  mentioned  explicitly.  In  cases  where 
W  and  u  can  be  assumed  known  we  may  refer  simply  to  traces\P\. 

•  The  process  skip  has  traces  of  form  (wo,  wo) . . .  (wk,  Wk),  i.e.  finite 
stuttering,  reflecting  termination  without  changing  the  state,  regardless 
of  interruption.  These  traces  are  obtainable  from  singleton  stuttering 
traces  by  closure,  so  that  traces[skip]Wu  =  {(w,w)  \  w  e  W}^ . 

•  If  h  denotes  the  channel  (put,  get)  and  x  denotes  the  variable  ( acc ,  val), 
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the  input  command  hlx  has  traces  of  form 


(' w,acc(v)w ')  where  get(w)  =  some (u,  w') 

(w0,  w0) . . .  {wk,Wk) . . .  where  \fk  >  0.  get(wk )  =  none 

•  When  h  denotes  the  channel  (put,  get)  the  output  command  h\v  has 
traces  of  form  ( w,put(v)w ). 

•  Sequential  composition  corresponds  to  concatenation  of  traces: 
traces\Px-,  P2\Wu  =  {c*ia2  |  «i  e  traces\Pi\Wu  &  a2  e  traces\P2\W u}^ 

•  Parallel  composition  corresponds  to  fair  merging  of  traces 

traces\Pi\\P2\W u  =  {7  |  3a  e  tracesfP^Wu,  (3  e  traceslP2JWu. 

(a,/3,j)  e  fairmergeWx  w}K 

where  for  each  set  A  the  relation  fairmergeA  e  V(A°°  x  A°°  x  A°°)  is 
given  by 

fairmergeA  =  both*  ■  one  U  bothw 

where 

both  =  {(a,  (3,  a/3),  (a,  (3,  /3a)  \  a, /3  e  A+} 
one  =  {(a,e,a),(e,(3,/3)\  a,(3  e  A00} 

Here  we  have  used  the  obvious  generalizations  of  concatenation  and 
finite  and  infinite  iteration  to  triples  of  traces,  and  to  sets  of  triples. 
A+  is  the  set  of  non-empty  finite  sequences  over  A.  Thus  in  particular 
every  triple  (a,/3, 7)  e  fairmergeA  for  which  both  a  and  (3  are  infinite 
can  be  decomposed  into  the  form 


a  =  aiO;2  . . . 

P  —  P1P2  ■  ■  • 

7  =  ai(3ia2(32  . . . 

or  its  symmetric  variant  7  =  /?iai/?2a2 . . each  a,  and  /?,•  being  non¬ 
empty  finite  sequences.  The  case  where  one  or  more  of  a  and  [3  is  finite 
has  a  similar  decomposition.  This  formal  specification  of  fairmerge 
clearly  corresponds  precisely  to  the  fair  merge  operation  mentioned 
earlier  in  the  merge  example. 
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The  fairmerge  relation  can  also  be  characterized  as  the  least  fixed  point 
of  the  functional 

XR.  both  ■  j Ft  U  one, 

where  R  ranges  over  the  lattice  of  relations  over  A°°  x  A00  x  A°°,  ordered 
by  reverse  inclusion.  The  least  element  of  this  lattice  is  the  universal 
relation,  and  the  fixed  point  can  be  calculated  as  an  intersection. 

•  The  traces  of 

local  h  :  chanfr]  in  P 

over  state  set  W  are  obtained  by  projection  onto  W  from  the  traces 
of  P  over  W  x  V*,  in  a  suitably  expanded  environment,  along  which 
the  local  channel  is  initially  empty  and  its  contents  are  never  changed 
across  step  boundaries.  In  the  expanded  environment  h  is  bound  to  the 
channel  value  (put,  get )  whose  operations  refer  to  the  V*  component  of 
the  expanded  state  set  W  x  V*. 

This  definition  generalizes  in  an  obvious  manner  to  local  h  =  p  in  P, 
in  which  the  initial  value  assumed  for  the  local  channel  is  the  given 
sequence  p  e  V*. 

The  semantics  of  local  x  :  var[r]  in  P  is  defined  in  a  similar  manner. 

•  For  simplicity  we  assume  that  recursive  process  definitions  are  syntac¬ 
tically  guarded ,  in  that  each  occurrence  of  the  recursive  process  name  is 
preceded  by  a  communication  or  some  other  atomic  action7.  For  each 
state  set  W  such  a  recursive  process  definition  determines  a  guarded 
continuous  function  F  on  trace  sets  over  W ,  and  denotes  the  (closure 
of  the)  least  fixed  point  of  this  function.  Recall  that  trace  sets  over  W 
form  a  domain  under  reverse  set  inclusion,  with  least  element  the  set 
of  all  traces  ( W  x  VF)°°.  The  fixed  point  can  therefore  be  calculated 
by  forming  the  intersection  of  the  sets  Fn((W  x  VF)00)  for  n  >  0. 

7This  constraint  can  be  removed,  allowing  arbitrary  recursive  definitions,  if  we  insert  a 
“semantic  guard”  in  the  form  of  an  initial  stuttering  step.  The  mechanics  of  this  approach 
are  explained  in  [Bro96] .  Note  that  for  technical  reasons  it  is  necessary  to  take  the  fixed 
point  of  a  functional  over  arbitrary  trace  sets,  and  then  to  form  the  closure.  This  guarantees 
that  a  divergent  process  definition  such  as  process  div  =  skip;  div  is  given  the  correct 
denotation  {{w,w)  \  w  €  W}w,  i.e.  infinite  stuttering,  rather  than  (W  x  W)^. 
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For  example,  assume  that  the  state  set  is  V*  x  V*  and  that  a  and 
b  correspond  to  the  first  and  second  components  respectively.  The 
recursive  process  definition 


process  B  =  local  x  in  (a?x;  b!x;  B), 

essentially  the  one-place  buffer  example  discussed  earlier,  determines 
the  guarded  function 


where  we  write 


F(t)  =  {a!ey  U  (J  a?v;b\v,t, 

veV 


a?e  =  {{(e,<T),(e,<j))  \aeV*} 
alv  =  {((vp,cr),  (p,a))  \  p,cr  e  V*} 
b\u  =  {{(p,(r),(p,(7v))  j  p,a  €  V*}. 

The  least  fixed  point  of  this  function  is,  as  expected  by  the  intended 
operational  behavior,  the  trace  set  given  by: 

{alv-b\v  |  v  e  V}u  U  {a?u;6!u  |  v  e  VY(alt)w. 


•  For  a  conditional  command  we  define 


traces^  B  then  P,  else  P2J  =  [B]true;  traces^}  U  ff£]false;  traces^}, 

where  [H]true  =  {((w,  w))  |  w  e  W  &  |i?]u;  =  true}.  Here  we  write 
[B]  :  W  -*  Vbooi  for  the  semantic  function  for  boolean  expressions, 
which  is  assumed  given.  We  use  a  similar  convention  for  P?Jfalse. 

•  The  meaning  of  a  while-loop  involves  iteration: 

£races[while  B  do  P]  =  (|[B]true;  traces^})*;  I5jfa|se 

U  (I^ltruei  traces\P\)w. 

Equivalently,  this  trace  set  is  the  closure  of  the  least  fixed  point  of  the 
functional 

XT-  IBItrue^race4^J;  ^  U  [5]false. 

For  example,  the  traces  of  while  true  do  skip  are  infinite  stuttering 
sequences,  i.e. 


tracesfwhile  true  do  skip]  =  {((ic,u;))  |  w  e  W}w . 

Similarly,  the  traces  of  the  one-place  buffer  node  buff  (specified  as  a 
while-loop)  are  as  expected. 
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5  Advantages  of  trace  semantics 

Our  semantics  is  specifically  designed  to  handle  non- deterministic  networks, 
is  compositional ,  and  permits  operationally  justified  discrimination  between 
processes.  Thus  we  avoid  the  problems  inherent  in  Kahn’s  approach. 


Compositionality 

With  the  trace  semantics  the  Brock-Ackerman  anomaly  does  not  cause  a 
problem:  although  Pi  and  P2  denoted  the  same  input-output  function  they 
do  not  have  the  same  traces,  so  it  is  unsurprising  that  they  also  induce 
different  trace  semantics  in  context  S[— ]  and  also  in  context  T[— ].  Similarly 
the  problem  with  sequential  composition  goes  away,  since  i?x  and  skip  do 
not  have  the  same  traces.  In  fact  we  are  able  (as  above)  to  specify  the  traces 
of  Aq;  N2  in  terms  of  the  traces  of  Ni  and  the  traces  of  A^. 

Trace  semantics  is  compositional,  so  that  it  can  be  used  to  support  syntax- 
directed  reasoning  about  non-deterministic  processes.  In  particular,  our  se¬ 
mantics  supports  a  hierarchical  approach  to  network  analysis  and  synthesis. 
When  analyzing  a  network  built  out  of  several  sub-networks  all  one  needs  to 
know  or  assume  about  a  sub-network  is  its  trace  set.  One  can  replace  any 
node  or  sub-network  by  another  with  the  same  traces,  without  affecting  the 
traces  of  the  overall  network. 


Discriminative  power 

The  variant  forms  of  one-place  buffer  discussed  earlier  have  pairwise  distinct 
trace  sets.  Adapting  the  notation  introduced  above,  we  have  (modulo  clo¬ 
sure): 

traces\buff(i ,  o)]  =  {??u;  o\v  \  v  e  U  {i?v,o\v  \  v  e  V}* (i*! e)w 

traces\buff\i,  o)J  =  {i1v,o\v  \  v  e  V}"  U  {ilv;o\v  j  v  e  V}*STUIW 

traces\buff  *{i,o)\  =  {?7i>;  o\v  \  v  e  V}+  U  {i?v,  o\v  \  v  e  V}*(ileff 

where  STUT  =  {((p,a),(p,a))  \  p,  a  e  V*}. 

For  buffs  we  need  the  obvious  extension  of  the  above  notation  to  non¬ 
empty  finite  sequences  of  inputs  and  outputs,  so  that  when  p  =  [i>i, . . . 
we  write  Up  for  *? iq; . . .  *?vn.  The  trace  set  of  buffs  consists  of  all  traces  of 
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the  form 


i'!pi;ol(Ti-,...i‘!pk]o\crk... 

or  o!(Ti;  . . .  o!cr„;  (iTe)" 

such  that 

•  every  input  is  eventually  output,  i.e. 

\/k.  3m  >  k.  pi . . . pk  <  <Ti . . .  crm. 

•  every  output  was  previously  input,  i.e. 

Vfc.  <7i...  crk<  pi...pk. 

Here  the  pk  and  ak  range  over  all  non-empty  finite  sequences,  k  ranges  over 
the  positive  integers,  and  n  ranges  over  the  natural  numbers. 

In  particular  we  are  not  forced  (by  any  desire  to  impose  continuity)  to 
equate  any  pair  of  these  processes.  For  each  pair  there  is  a  good  operational 
reason  to  avoid  such  identification,  and  our  semantics  reflects  this  well.  These 
buffer  examples  show  that  the  trace  semantics  permits  distinctions  to  be 
made  between  processes  based  on  their  stimulus-response  behavior. 

6  Laws  of  process  equivalence 

A  significant  benefit  of  Kahn’s  approach  is  that  input-output  functions  are 
easy  to  deal  with;  for  instance,  cascading  corresponds  to  composition  of 
input-output  functions.  Moreover  one  can  appeal  to  a  battery  of  standard 
fixed-point  theorems  (due  to  Scott,  Bekic,  Vuillemin  and  others)  for  help 
in  proving  equivalences  between  networks  and  in  proving  correctness  of  a 
network  with  respect  to  a  specification. 

Trace  sets  are  obviously  more  complex  mathematically  than  input-output 
functions  or  input-output  relations.  Nevertheless  a  trace  set  can  be  regarded 
as  an  input-output  relation  “extended  in  time”,  in  which  state  changes  are 
“strung  along”  in  a  sequence  and  the  potential  for  interference  is  built  in. 
This  description,  albeit  informal,  expresses  an  intuition  helpful  when  trying 
to  understand  our  semantics.  Moreover,  trace  set  specifications  such  as  those 
given  for  the  buffer  processes  can  be  very  helpful. 
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Rather  than  relying  on  the  semantic  definitions  themselves  directly  in 
reasoning  about  network  behavior  we  prefer  to  list  a  number  of  useful  laws 
of  program  equivalence  validated  by  our  semantics.  Each  law,  written  as 
an  equation  of  form  Pi  =  P2,  should  be  interpreted  as  asserting  that  in  all 
worlds  W  and  suitable  environments  u,  the  traces  of  P\  coincide  with  the 
traces  of  P2- 

Scope  contraction 

•  local  h  in  (P||$)  =  (local  h  in  P)\\Q 
if  h  does  not  occur  free  in  Q. 

This  law  is  useful  in  establishing,  for  instance,  that  the  summation  network 
sum  and  its  three  variants  sum\,  sum2,  and  sums  are  semantically  equivalent. 

Symmetry 

•  local  h\  in  local  h2  in  P  =  local  /*2  in  local  hi  in  P 

This  equivalence  justifies  our  use  of  the  abbreviation  local  hi,h2  in  P. 

Asynchrony 

•  local  h  in  (hie;  P)  =  P 

if  h  does  not  occur  free  in  P 

•  local  h  in  (h?x;  P)  =  while  true  do  skip 

These  two  laws  emphasize  the  asynchronous  mode  of  communication:  an 
output  just  happens,  but  an  input  must  wait.  Note  also  that  local  variables 
and  local  channels  are  not  recorded  in  the  overall  traces.  An  operation  such 
as  outputting  to  a  local  channel  appears  as  a  stuttering  step  to  the  overall 
program,  since  it  has  no  effect  on  the  non-local  part  of  the  state,  and  is  thus 
absorbed  by  closure. 
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Local  input  and  output 

•  local  h  =  vp  in  P||(^?a;;  Q)  =  local  h  =  p  in  P||(a;:=i>;  Q) 
provided  Kl  does  not  occur  free  in  P. 

•  local  h  =  p  in  P\\(h\v;  Q )  =  local  h  =  pv  in  P\\Q 
provided  h\  does  not  occur  free  in  P. 

These  laws  show  that  under  certain  circumstances  we  lose  no  generality  in 
assuming  that  a  suitably  enabled  communication  involving  a  local  channel 
occurs  immediately,  regardless  of  the  enabledness  of  other  activity. 

Note  also  the  following  slight  generalization  of  the  obvious  corollary: 

•  local  h  =  e  in  P\\{h?x-,  <2)|| (h\v,R)  =  local  h  =  e  in  P\\(x:=v,  Q)\\R 
provided  h  does  not  occur  free  in  P  and  h  ?  does  not  occur  free  in  R. 

Another  special  case  shows  that  a  local  output  and  a  local  input  done  con¬ 
currently  is  equivalent  to  a  “distributed”  assignment: 

•  local  h  in  (h\v\\hlx)  =  x:—v. 

Global  promotion 

•  local  h  =  e  in  (h?x;  P)\\(Q1-Q2)  =  Qx;  local  h  =  t  in  (hlx\  P)\\Q2 
if  h  does  not  occur  free  in  Qi. 

The  soundness  of  this  law  relies  crucially  on  fairness.  It  can  be  used  to 
simplify  reasoning  in  cases  where  local  channels  are  used  to  enforce  synchro¬ 
nization.  The  significance  of  this  law,  and  of  its  obvious  generalization  to  the 
case  when  there  are  several  components  waiting  on  local  channels,  is  that  it 
allows  one  to  “move  to  the  front”  (or  “promote”)  an  initial  segment  of  code 
performable  by  a  parallel  component,  provided  that  code  is  “global”  in  that 
it  does  not  affect  any  local  channel,  and  provided  the  “rest”  of  the  parallel 
composition  is  waiting  on  a  local  channel  that  is  currently  empty.  This  per¬ 
mits  reasoning  to  assume  without  loss  of  generality  that  the  “visible”  piece 
of  code  happens  first,  even  though  operationally  what  really  happens  is  that 
the  two  parallel  components  are  interleaved  fairly.  No  generality  is  lost  be¬ 
cause  the  blocked  component  contributes  only  stuttering  steps  to  the  traces, 
and  these  steps  are  absorbed  by  the  closure  rules. 
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Cyclic  synchronization 

A  common  technique  to  enforce  synchronization  involves  a  cyclic  communi¬ 
cation  pattern  of  requests  and  acknowledgements.  The  simplest  case,  for  two 
processes,  corresponds  to  the  following  law: 

(Pi  lift); 

local  hi,h2  in  (Qi\\Q2) 

provided  Pi  and  P2  do  not  use  hi  or  h2.  Here  we  have  assumed  that  the 
two  channels  have  type  chan  [unit]  since  the  Content  of  the  message  used  for 
synchronization  is  immaterial.  More  generally,  when  none  of  the  Pt-  use  any 
of  the  hj, 

local  ho,...,hn  in 

\\U(Pu  W*;  hiQ  1?*;  Qi) 

is  equivalent  to  (||”_1P4);  local  h0,...,hn  in  (|| ”=1Qj).  Again  these  laws  rely 
on  fairness. 

A  buffer  property 

Recall  the  process  buff  which  behaves  like  a  one-place  buffer.  It  satisfies 
the  following  general  law,  which  codifies  the  sense  in  which  when  suitably 
localized  to  prevent  interaction  with  extraneous  processes  its  effect  is  trivial. 
This  is  an  analogue  in  the  non- deterministic  setting  of  the  fact  that  buff 
computes  the  identity  relation  on  histories: 

local  h,h'  in  (P  ||  buff(h,h'))  =  local  h!  in  P[h'/h ], 

provided  hi  and  h'\  do  not  occur  free  in  P.  Here  P[h'/h]  denotes  the  process 
obtained  from  P  by  replacing  every  output  on  h  by  output  on  h1.  Note  that 
the  law  becomes  invalid  if  we  remove  the  enclosing  local  variable  declara¬ 
tion  for  /;/,  i.e.  under  the  same  assumptions  about  h.h'  and  P  the  process 
local  h  in  (P  ||  buff(h,h'))  is  not  generally  equivalent  to  P[h'/h]. 


local  hi,  h2  in 

(Pi;  hiW,  h2l Q\) 
||  (P2;  h2\-k;  hi?*;  Q2 ) 
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T  Reasoning  about  networks 

We  now  return  again  to  the  prefix-summation  network.  The  fact  that  the 
three  different  decompositions  of  the  network  ( surtii ,  sum2,  and  sum3)  have 
the  same  semantics,  and  that  this  coincides  with  the  trace  set  of  the  “fiat” 
version  (sum),  falls  out  immediately  from  the  scope  contraction  law  and 
symmetry,  together  with  the  obvious  laws  of  associativity  and  commutativity 
for  parallel  composition.  For  example, 


sumi 


local  out, 
local  out, 
local  out, 
local  out, 
sum 


in!  in  (reg  ||  local  on  in  (add 
in'  in  local  on  in  (reg  ||  (add 
in',  on  in  (reg  ||  (add  ||  dug)) 
in',  on  in  (add  ||  reg  ||  dup) 


dup )) 
dup)) 


The  first  step  in  the  above  proof,  using  scope  contraction,  relies  on  the  fact 
that  reg  does  not  use  the  channel  on. 

To  prove  the  correctness  of  the  sum  network  we  first  need  to  specify  what 
correctness  should  mean.  Although  the  most  obvious  specification  might  be 
that  the  network  should  be  capable  of  inputting  a  sequence  of  integers  and 
outputting  their  sum,  this  description  is  insufficiently  precise  to  characterize 
the  network  s  behavior  accurately.  In  fact  the  network  is  capable  of  inputting 
two  integers  before  emitting  the  first  prefix  sum,  and  this  pattern  recurs 
persistently.  Instead  we  use  the  following  specification: 


sum  =  (Jv€V.ntin?v;SUM(v)  U  (in?e)“ 

SUM(v)  =  (J^JinW  ||  out\v)-,SUM(v  +  v')  U  out\v,(intef 

Note  that  the  specification  implies  that  each  input  triggers  the  availability  of 
the  next  output.  Moreover  if  at  any  stage  the  input  gets  blocked  any  pending 
output  will  eventually  get  emitted. 

The  proof  that  sum  has  the  trace  set  specified  here  is  straightforward, 
using  the  laws  of  the  previous  section.  Of  particular  relevance  are  the  laws 
for  local  input,  local  output,  global  promotion,  cyclic  synchronization,  and 
the  buffer  property.  In  fact  there  are  several  different  proofs  possible,  essen¬ 
tially  corresponding  to  the  different  ways  in  which  we  might  decompose  the 
network  into  sub-networks,  as  in  sumi,  sum2  and  sum3.  Again  this  mirrors 
the  situation  with  Kahn’s  treatment  for  the  same  network. 
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process  filter(p,  a,  b )  = 

local  x  in 

while  true  do 

(a?#;  if  x  mod  p  0  then  b\x)\ 

process  sift(a,  out )  = 

local  b,  p  in 
begin 

a?p;  out\p\ 

filter(p ,  a,  b)  ||  siftifi,  out ) 

end; 

process  nats(k ,  a)  =  a\k\  nats{k  +  1,  a); 

process  primes(out )  = 

local  a  in  ( nats(2,a )  ||  sift(a,  out)) 


Figure  4:  The  primes  network 

It  is  also  easy  to  show  (with  only  a  minor  alteration  to  the  proof  for  sum) 
that  the  non-deterministic  network  sum!  has  exactly  the  same  traces  and 
therefore  satisfies  the  same  specification.  The  non-determinism  here  occurs 
“invisibly” ,  since  it  only  affects  local  activity.  Similarly  it  makes  no  difference 
if  we  reverse  the  order  in  which  the  add  node  waits  for  its  two  input  channels, 
or  even  if  we  allow  it  to  wait  in  parallel.  In  all  of  these  cases  the  proof  is 
straightforward. 

As  an  example  of  dynamic  networks,  Figure  4  lists  the  nodes  of  a  network 
based  on  the  Sieve  of  Eratosthenes,  as  discussed  in  Kahn’s  paper.  Intuitively, 
primes(out)  is  a  dynamically  evolving  network  whose  structure  at  any  time 
is  a  chain  of  filter  nodes  connecting  a  nats  node  to  a  sift  node.  It  produces, 
on  channel  out,  the  infinite  ascending  sequence  of  prime  numbers.  The  cor¬ 
rectness  of  this  network  can  also  be  proved  in  a  straightforward  manner. 
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8  Recovering  Kahn 

The  trace  semantics  given  above  makes  sense  for  non-deterministic  networks 
as  well  as  for  deterministic  ones.  We  now  show  that  the  trace  set  of  a  deter¬ 
ministic  network  is  a  natural  generalization  of  its  Kahn-style  history  function, 
in  the  sense  that  the  history  function  can  be  extracted  directly  from  the  trace 
set  by  focussing  on  traces  of  a  special  format. 

Given  a  network  in  which  all  free  channels  are  unidirectional,  we  can 
extract  an  input-output  history  relation  from  the  traces  of  the  network  as 
follows.  Suppose  for  simplicity  that  the  network  has  states  of  the  form  (p,cr), 
where  p  e  I  =  I{  x  •  •  •  x  represents  the  input  channels  and  a  e  0  — 
Oj  x  •  •  •  x  0*  represents  the  output  channels.  Let  T  be  a  trace  set  over  the 
corresponding  state  set  7x0.  Let  7°°  stand  for  Jf>  x  •  •  •  x  7£°  and  similarly 
for  0°°.  The  relation  re/(T)  C  7°°  x  0°°  is  defined  to  be 

rel(T)  =  {( p,cr )  |  p  =  ( pn ),  a  =  (<r„)  & 

(( Po ,  e),  (V<7o)) 

((<Wi,e),(£i,<r1)) 


((^n— lpnt  ^n)) 

. e  T} 

Note  that  by  convention  we  write  ew  -  e,  so  that  the  same  format  can  serve 
both  for  finite  and  infinite  histories. 

Intuitively,  input  history  p  is  related  by  rel(T)  to  output  history  a  when 
there  is  a  “decomposition”  (<rn),  expressing  a  as  a  sequence  of  finite  chunks, 
and  a  corresponding  decomposition  of  p  into  ( pn ),  such  that  when  the  input 
chunks  are  supplied  “successively”  the  corresponding  output  chunks  are  pro¬ 
duced.  We  may  refer  to  a  trace  of  the  above  format  as  a  justifying  trace  for 
(p,  cr).  Given  the  above  assumptions  on  channel  usage,  the  trace  structure 
implies  that  is  a  suffix  of  po ,  <£i  is  a  suffix  of  poPi,  and  so  on. 

In  fact  it  is  easy  to  see  that  input  and  output  are  “oblivious”  in  the  sense 
that  the  potential  for  input  or  output  to  occur  does  not  go  away  if  channels 
are  primed  with  “extra”  data  in  the  following  sense: 

•  A  process  has  a  trace  of  form  a((vp,  a),  (p,  cr'))/3  if  and  only  if  it  has 
the  trace  a((vpS,  <r),  ( pS ,  for  all  6  e  I. 
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•  A  process  has  a  trace  of  form  a((p,  cr),  (p',  cry))/?  if  and  only  if  it  has 
the  trace  a((p,  e),  (p1,  v))ft. 

As  a  consequence,  we  can  give  the  following  alternative  (but  equivalent) 
formulation  of  rel(T),  which  is  sometimes  easier  to  work  with: 

rel(T)  =  {( p,a )  |  p  =  (p„),  a  =  (an)  & 

((po,e),(8o,a0)) 

((SopiyCTo),  (Si,  <70<7i)) 

((Sn—\pni  ern—\),  (S-ni  *^0  •  •  •  ^Vi)) 

. 6  T}  . 

Another  important  feature  of  rel(T )  is  the  following  Decomposition  Property: 
the  presence  of  a  particular  input-output  history  pair  (p,  cr)  in  rel(T )  can  be 
shown  by  choosing  any  decomposition  of  cr  and  finding  a  corresponding  de¬ 
composition  for  p\  the  trace  set  is  guaranteed  to  contain  a  suitably  structured 
trace  of  the  format  required  to  establish  that  ( p,cr )  e  rel(T). 

The  definition  of  trace-based  history  relation  makes  sense  for  any  network, 
deterministic  or  non-deterministic,  provided  the  network  uses  each  channel 
unequivocally  either  for  input  or  for  output.  To  illustrate,  we  return  again 
to  the  buffer  processes.  According  to  the  above  definition,  the  (determinis¬ 
tic)  one-place  and  unbounded  buffer  processes  each  determine  the  identity 
function  on  histories: 

rel(traces\buff\)  =  {(p,  p)  \  p  eV00} 
rel(traces\buffs\)  =  {(p,p)  j  p  e  V00} 

Similarly,  each  (non-deterministic)  variant  also  determines  the  intended  his¬ 
tory  relation: 

rel(traces\buff' ])  =  {(p,  a)  \  a  <  p  &  p,cr  e  V°°} 
rel(traceslbuff*} )  =  {(p,  cr)  j  a  <  p  &  p  e  V00  &  <r  e  V*}. 

Now  recalling  some  of  our  other  non-deterministic  examples,  the  relations 
obtained  from  the  merge  and  spray  processes  are  also  as  expected: 

rel(traces\merge^)  =  fairmergev 

rel(traces\spray\)  =  {(p,  <r2)  |  (01,  cr2,p)  €  fairmergev}. 
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Moreover,  it  is  easy  to  see  from  the  characterization  given  earlier  for  the 
traces  of  sum  that  rel{traces\sum^)  is  indeed  the  (graph  of  the)  prefix-sum 
function.  It  follows  easily  that  the  deterministic  networks  sum\ ,  sum2,  sum^ 
and  the  non-deterministic  network  sum'  also  determine  the  same  relation, 
since  they  all  have  the  same  trace  set  as  sum. 

The  prescription  given  above  for  rel(T)  is  rather  intuitive,  but  differs 
slightly  from  Kahn’s  approach  in  that  we  did  not  build  in  continuity.  For 
example,  we  have 

re/(£races[skipj)  =  {(p,e)  |  p  e  V*} 
re/(fraces|[while  true  do  skip])  =  {(p,e)  j  p  €  V00}, 

since  skip  has  only  finite  traces.  In  Kahn’s  setting  both  of  these  processes 
denote  the  same  function,  i.e.  A p  e  V°°.e.  This  inability  of  Kahn’s  model 
to  distinguish  between  termination  and  divergence  is  insignificant  in  Kahn’s 
setting,  primarily  since  sequential  composition  is  not  allowed  at  the  network 
level.  In  our  setting  it  makes  sense  to  make  the  distinction.  For  comparison 
to  Kahn’s  model  we  must  therefore  focus  on  the  limit-closure  of  rel(T),  which 
we  define  to  be  the  smallest  relation  R  containing  rel(T )  such  that  whenever 
Po  <  Pi  <  •  •  •  and  (T0  <  <t i  <  ...  are  increasing  sequences  of  finite  histories 
with  limits  p  and  o,  the  presence  of  (pn^n)  in  R  for  all  n  implies  that 
(p,<r)  belongs  to  R.  For  example  it  is  easy  to  see  that  the  limit-closure 
of  {(p,e)  \  p  e  V*}  is  {(p,e)  |  p  e  V00},  as  desired  to  make  the  above 
identification. 

We  are  now  in  a  position  to  state  formally  the  sense  in  which  our  trace 
semantics  is  a  natural  generalization  of  Kahn’s  model.  When  T  is  the  trace 
set  of  a  uni-directional  deterministic  network  the  limit-closure  of  rel(T )  co¬ 
incides  with  the  graph  of  the  network’s  input-output  function  as  predicted 
by  Kahn’s  semantics.  Using  the  terminology  introduced  earlier,  we  have 

limit- closure(rel(traces\P\))  =  sir|P] 

for  all  Kahn-style  deterministic  networks  P.  We  defer  the  details  of  this  proof 
to  Appendix  B. 

As  an  important  consequence  of  this  result,  whenever  two  networks  have 
the  same  traces  they  induce  the  same  history  relation  in  all  contexts.  This 
follows  by  compositionality  of  the  traces  semantics. 
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Conclusions 


We  have  given  a  semantics  for  fair  networks  of  non-deterministic  asynchronous 
communicating  processes.  We  have  shown  that  our  model  is  a  natural  gener¬ 
alization  of  Kahn-style  input-output  functions,  extended  to  take  into  account 
the  potential  for  interference  between  processes.  Fairness  plays  a  vital  role 
in  our  semantics,  a  natural  outgrowth  of  its  understated  supportive  role  in 
Kahn’s  original  semantics.  Despite  its  historical  reputation,  fairness  is  not 
especially  problematic  from  the  semantic  point  of  view,  and  can  be  incorpo¬ 
rated  without  difficulty. 

We  have  shown  that  our  semantics  supports  a  number  of  useful  laws  of 
program  equivalence  that  may  be  used  to  simplify  reasoning  about  network 
behavior.  Several  of  these  laws  rely  crucially  on  fairness  for  their  sound¬ 
ness,  and  this  can  be  an  advantage  when  reasoning  about  liveness  properties. 
Local  declarations  can  be  used  to  great  effect  to  build  in  non-interference  as¬ 
sumptions,  such  as  the  inability  of  one  parallel  component  to  modify  private 
data  used  by  other  components. 

We  have  shown  that  our  trace  semantics  is  adequate  for  reasoning  about 
history  relations,  in  the  sense  that  processes  (either  nodes  or  entire  sub¬ 
networks)  with  the  same  traces  can  be  interchanged  in  any  network  context 
without  affecting  the  history  relation  computed  by  the  resulting  network.  It 
would  be  interesting  to  see  what  additional  programming  language  constructs 
need  to  be  added  in  order  to  guarantee  the  converse  of  this  property,  i.e.  full 
abstraction  [Mil77,  Sto88].  We  conjecture  that  it  suffices  to  add  a  simple  form 
of  conditional  critical  region  construct,  usually  written  as  await  B  then  C, 
by  analogy  with  the  full  abstraction  result  proven  in  [Bro93]. 

The  idea  of  using  traces  of  some  kind  to  model  concurrent  processes  is 
widespread.  Unlike  many  traditional  models  for  communicating  processes, 
such  as  [Bro94,  Hoa78],  we  work  entirely  with  “complete”  traces  and  we 
build  in  fairness  so  that  the  semantics  of  a  process  provides  a  full  and  pre¬ 
cise  description  of  its  potential  behaviors  under  any  reasonable  scheduling 
strategy.  By  blending  channels  into  the  state  structure  so  that  communica¬ 
tion  becomes  a  state  change  we  are  able  to  avoid  using  “process  labels”  or 
“channel  labels”  to  decorate  the  steps  of  a  trace,  and  we  can  avoid  the  corre¬ 
sponding  book-keeping  details  that  tend  to  clutter  up  labelled  trace  models. 
For  instance,  we  have  avoided  the  need  for  “refusal  sets”  as  a  means  of  mod¬ 
elling  deadlock  [Hoa78].  Instead,  a  deadlocked  process  manifests  itself  in  our 
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model  as  infinite  stuttering,  which  after  all  is  how  it  will  appear  to  any  pro¬ 
cess  attempting  to  interact  with  it:  a  deadlocked  process  will  never  change 
the  state,  and  never  terminates. 

In  contrast  to  several  earlier  trace-theoretic  models  [Jon89,  Kok87,  Rus90, 
KP84]  we  take  a  different  view  of  state,  and  of  the  nature  of  a  step  in  a 
trace,  and  we  build  in  a  different  combination  of  closure  conditions  on  trace 
sets.  Typically  these  earlier  models  were  concerned  with  the  search  for  fully 
abstract  models  of  Kahn  networks,  with  respect  to  a  kind  of  observable  be¬ 
havior  based  on  Kahn-style  input-output  functions.  Our  model  is  designed 
to  provide  more  discriminatory  power  than  Kahn’s  semantics,  so  that  our 
semantics  solves  a  different  problem  and  fits  in  a  niche  at  a  different  level  of 
abstraction  than  these  models. 

It  would  be  interesting  to  investigate  if  our  semantics  can  be  used  to 
analyze  the  relative  expressive  power  of  communication  primitives,  perhaps 
along  lines  suggested  by  [PS88].  In  particular  it  seems  obvious  that  the 
expressive  power  of  our  language  would  be  improved  if  we  add  a  form  of 
channel  probe ,  permitting  a  process  to  test  for  availability  of  data  without 
necessarily  inputting  it. 
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10  Appendix  A:  Operational  semantics 

We  present  a  structured  operational  semantics  for  processes.  Configurations 
have  the  form  (P,  s ),  where  P  is  a  process  and  s  is  a  state  in  some  state  set  S; 
there  is  also  assumed  to  be  an  environment  u  mapping  all  free  identifiers  of 
P  to  appropriate  bindings  over  S.  A  configuration  is  either  terminal ,  or  has 
one  or  more  enabled  transitions.  We  write  (P,  s)  — >•  (P',  s')  to  indicate  an 
enabled  transition.  We  write  ( P,s)term  to  indicate  a  terminal  configuration. 

We  assume  given  the  transition  rules  for  expressions.  We  write,  for  in¬ 
stance,  (e,  s)  — >*  v  to  indicate  that  e  evaluates  to  value  v  in  state  w  (and 
the  given  environment).  Expression  evaluation  is  assumed  to  be  free  of  side- 
effects. 

For  simplicity  in  presenting  the  transition  rules  let  s  =  (w,v,p)  be  a 
state  of  shape  W  x  V  x  V*,  and  let  x  and  h  be  bound  to  the  variable  and  the 
channel  represented  by  the  final  two  components  of  the  state,  respectively. 
We  then  write  [s  |  x  :  v']  for  the  state  (w,  v1,  p)  obtained  by  updating  the 
^-component  of  s,  and  [s  |  h  :!u/]  for  the  state  (w,  v.  pv’)  obtained  by  sending 
v'  to  the  h- component  of  .s.  We  also  write  s(x)  and  s(h)  for  the  value  of  the 
respective  component  of  s.  We  also  assume  that  t  is  a  state  over  W  x  V  and 
write  (t,h  :  p)  for  the  obvious  corresponding  state  over  W  x  V  x  V*. 

The  termination  predicate  term  and  the  one-step  transition  relation  are 
defined  to  be  the  smallest  relations  satisfying  the  following  rules. 


(skip,  s)term 
(e, s)  -»*  v 

(x:=e,s)  (skip,  [s  |  x  :  u]) 

(e,  s )  — >•*  v 
(hie,  s)  — >■  [s  |  h  :!u] 

s(h )  =  vp 

(hlx,  s)  -»  (skip,  [s  \  x  :  v,h  :  p] 
s(h )  =  e 

(hlx^s)  — >■  (h7x,s) 
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±{pj^) 

(Pi;Pi,s)^{Pl;P2,s') 


(Pi,s)teim 

{Pl\p2,s}  ~ ►  (P2,s) 


(. b ,  — >*  tt 

(if  P  then  Pi  else  P2,s)  — >■  (Pi,s) 

_ (P,s)  -4*  ff _ _ 

(if  B  then  Pi  else  P2,  s)  — y  (P2, 5) 


(while  P  do  P,  s)  — >  (if  P  then  P;  while  P  do  P  else  skip,  s) 


(Pusy^jPUs^ 

(P4P2,S)  {Pl\\pa,s') 

(P2,s)  -»  (fi'.s') 

(Pi,s)term  (P2,s)term 
(Pi||P2,5)term 

(P,M:p))^(P^A:p^ 

(local  h,  =  p  in  P,t)  (local  h  —  p'  in  P',t') 

(P,  ( t ,  h  :  /£>))term 
(local  h  —  p  in  P,  t)  -*  (P,  t) 
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11  Appendix  B:  Recovering  Kahn 

We  sketch  the  main  ideas  behind  the  key  result  that  connects  our  semantics 
and  Kahn’s,  i.e. 

If  each  node  P  in  a  uni-directional  deterministic  network  N 
satisfies 

limit-closure{  rd(  trace.s\P\ ) )  =  sfrfP], 
then  the  network  as  a  whole  also  has  this  property,  i.e. 

Umit-c/osure(re/(tracesj[N]j))  =  sirfiV]. 

The  proof  is  by  structural  induction  on  the  way  the  network  N  is  built  up 
using  Kahn-style  constructs.  There  are  three  cases:  juxtaposition ,  cascading , 
and  feedback. 

Juxtaposition 

Let  Pi  and  P2  be  disjoint  networks.  Assume  without  loss  of  generality  that 
the  state  set  has  shape  W  —  (/i  x  /2)  x  ( 0\  x  02),  and  that  Pi  has  inputs 
over  h  and  outputs  over  Oi,  and  similarly  for  P2.  The  network  obtained  by 
juxtaposition  of  Pi  and  P2  is 

juxtapose(Pj,P2)  =d«f  Pi\\P2- 

Each  of  its  traces  is  therefore  a  fair  merge  of  a  trace  of  Px  with  a  trace  of 
P2.  Since  Pi  does  not  use  any  of  the  channels  of  P2,  these  channels  are  left 
unchanged  in  every  step  of  every  trace  of  Pi;  likewise  for  P2  and  the  channels 
of  Pi.  It  is  thus  easy  to  see  that  whenever  ((pi,p2),  (01,02))  belongs  to 
re/(traces[Pi||P2J,  a  justifying  trace  of  Pi||P2  is  built  from  a  justifying  trace 
of  Pi  for  (pi,  <7i)  and  a  justifying  trace  of  P2  for  (p2,  <x2).  The  converse  is  also 
true:  merging  a  justifying  trace  for  (pi,  <7i)  with  a  justifying  trace  for  (p2,  cr2) 
yields  a  justifying  trace  for  ((pi,p2),  (<n,  <r2)).  Thus 

rel(traceslP1\\P2J)  =  {((pi,p2),  (<Ti,a2))  | 

(pi?<^i)  e  rel{traces\Pi\)  &  (p2, cr2)  e  re/(traces[P2])}. 

The  desired  result  for  Pi||P2  then  follows  from  the  induction  hypothesis  for 
Pi  and  P2,  since 

str[ljuxtapose(Pi,P2)J  =  {((pi,p2),  (<Ti,<t2))  \ 

(Pi,oi)  6  5p|Pil  &  (p2, <t2)  e  strlP2}}. 
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Cascading 

For  ease  of  presentation  we  consider  only  the  case  involving  a  single  linking 
channel.  The  fully  general  case  can  be  treated  analogously. 

Let  W  =1x0,  and  let  Px  be  a  process  with  input  channels  corresponding 
to  components  of  I  and  a  single  output  channel  named  h  of  type  chan[r], 
and  let  P2  have  output  channels  in  0  and  a  single  input  channel  h.-  The 
network  formed  by  cascading  Pi  onto  P2  is 

cascade(Pi,h,P2)  =<jef  local  h  in  (Pi||P2). 

We  claim  that 

re/(^races[cascade(Pi, /*, P2)J)  =  (rel(traceslP2}))  o  (rel{traces\Pi\)). 

•  To  show  the  inclusion  from  left  to  right,  suppose 

(p,  a)  e  re/(traces[cascade(Pi,  h,  P2)]). 

Then  there  are  decompositions  p  =  (pn)  and  a  =  (crn)  and  a  trace  of 
P1IIP2  over  I  x  0  x  V*  of  form 

((/>o,  e,  e),(p^,£,i/0)) 

((po,e,Vo),(po,°o,Vo)) 

{(PoPu^o,  Vo),  (p[,  <70,  l/0Vi)) 

(  (p'l ,  0-0,  Z'o1'!  )  >  (p'l  ,<7-0(7!,^)) 

((p[p2,  cr0(Ti,u[),  (p'2,  a0<7Uv[p2))  . 


in  which  (without  loss  of  generality)  P\  and  P2  contribute  alternate 
steps8.  This  trace  arises  as  a  fair  merge  of  the  traces 

((Po,  e),  (p'o,  v0) 

((PoPu^Ap'i^o^)) 

((p'lP2:V[),(p’2^[u2)) 


of  Pi,  and 


((u0,e),(u'0,a0)) 


8Any  other  trace  of  this  process  can  be  put  into  this  form  by  inserting  stuttering  steps. 
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of  P i.  Let  v  —  V0V\  ....  It  follows  that  (p, v)  belongs  to  re/(  traces  |Pj]) 
and  (v,c)  belongs  to  rel(traces{P2J).  Hence  (p,a)  belongs  to  the  com¬ 
position  of  these  two  relations,  as  required. 

•  For  the  reverse  direction,  suppose  (p,  u)  e  re/(traces[PxJ)  and  {y,  a)  e 
rel{traces\P2\).  Choose  the  “justifying”  trace  for  (p,  v)  of  Pi  to  match 
the  decomposition  of  v  used  in  the  justifying  trace  for  (u,  a)  of  P2. 
(The  ability  to  make  this  choice  relies  on  the  Decomposition  Property 
mentioned  earlier.)  Then  interleave  these  traces  in  the  obvious  manner, 
leaving  the  local  channel  unchanged  across  step  boundaries,  to  obtain 
a  justifying  trace  for  (p,cr)  of  local  h  in  (Pi\\P2),  as  required. 

It  then  follows  that  if  Px  and  P2  satisfy  the  induction  hypothesis,  so  does 
cascade(Pi,h,  P2),  since 

str[cascade(Pj,  h,  P2)J  =  str{P2j  o  strfP2}. 


Feedback 

Let  P  be  a  network  using  channel  h  for  input  and  h'  for  output,  and  assume 
that  the  state  set  has  shape  W  x  V*  x  V*,  the  last  two  components  repre¬ 
senting  these  two  channels  respectively.  The  network  obtained  by  feeding  h' 
back  as  input  to  h  is: 

feedback(P,  h,  h')  =def  local  h  in  [h'/h]P. 

This  feedback  network  has  traces  of  the  form 


(wo,Wo)(w1,w[)(w2,  w'2) .  .  . 

such  that  P  has  a  trace  of  the  form 

((u>0,  e,  e),  (w'0,  e,  vQ))({wi,v0,  e),  (w[,  v'Q,  vi))({w2,  e),  ( w'2 ,  u[,  u2)) . . . 

(Feedback  is  effected  here,  intuitively,  by  sliding  messages  from  the  /^-component 
to  the  h-component.)  According  to  Kahn’s  least-fixed-point  characteriza¬ 
tion  a  pair  (p,  a )  belongs  to  the  limit-closure  of  the  input-output  function  of 
the  feedback  network  if  and  only  if  there  are  decompositions  p  =  (Pn)  and 
o  =  (o'n),  and  a  sequence  v  =  uQUi . . .  such  that 
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•  ((po,  e),  (o-o,  z/0))  e  str[Pj; 

•  ((popi.uo),  {ctoVuVqVi))  g  s£/fPj; 

•  ((poPlP2,V0V1),(a0(Tl(T2,VoVlV2))  €  stl\P\ 

and  so  on.  Using  this  formulation,  which  echoes  the  way  in  which  data 
is  transferred  on  the  internal  channel,  it  is  straightforward  to  establish  the 
connection:  the  sequence  e,  uo,  t'ozq,  and  so  on  converges  to  the  history  (for 
the  feedback  channel)  corresponding  to  the  least  fixed  point,  as  prescribed 
by  Kahn’s  semantics.  Hence,  if  P  satisfies  the  induction  hypothesis,  so  does 
feedback(P,  h,h'). 
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